On 30 Aug 2001, David Wagner wrote:
> Chris Wright wrote:
> >the bdflush hook can be getting a userspace pointer ('long data' is
> >a pointer for some values of 'int func'). it seems like we should
> >at least note this, since we prefer giving the module kernel space
> >pointers.
>
> Good catch. This is dangerous, and in my opinion probably deserves more
> than just a comment. In particular, in cases where it represents a
> userspace pointer, it must be ignored, or else the module will almost
> surely inherit a security hole. (Heaven save us from ioctl-like
> interfaces, where the usage of parameters is inconsistent.)
>
In the case of this hook, 'data' is either a value (5, 10, 35, etc.), or
a pointer to user-space memory where values are written. If somebody is
writing a security module, they better know what the parameters mean. The
question is, would an LSM module ever have to write into the user data
space? Well, based on the placement of the hook call, no, because the
kernel will write the data after the hook is called.
I don't see a race condition either, because the data read is by value.
What types of dangererous conditions do you think this hook creates?
--
Wayne Salamon
wsalamonat_private
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Aug 31 2001 - 08:05:35 PDT